Vulnerabilities  
August 20, 2024

Zero-Day Vulnerability in Windows Driver Exploited by Lazarus Hackers to Deploy Rootkit

The notorious North Korean hacking group, Lazarus, has been found exploiting a critical zero-day vulnerability in the Windows AFD.sys driver. This flaw enabled the group to gain elevated privileges on targeted systems and deploy the stealthy FUDModule rootkit, which effectively bypasses security defences.

The vulnerability, now tracked as CVE-2024-38193, was addressed by Microsoft in its August 2024 Patch Tuesday update, alongside fixes for seven other zero-day vulnerabilities. This particular flaw is classified as a Bring Your Own Vulnerable Driver (BYOVD) issue within the Windows Ancillary Function Driver for WinSock (AFD.sys), a crucial component that interfaces with the Windows Kernel for network operations.

The flaw was uncovered by researchers at Gen Digital, who noted that Lazarus had been actively exploiting it as a zero-day to distribute the FUDModule rootkit. This sophisticated malware is designed to disable Windows monitoring features, making it extremely difficult for security tools to detect its presence.

"In early June, our researchers, Luigino Camastra and Milanek, identified that Lazarus was exploiting an unpatched vulnerability in the AFD.sys driver," stated Gen Digital. "This vulnerability gave them unauthorised access to critical system areas, which they exploited using FUDModule to mask their malicious activities from detection."

A BYOVD attack involves the deliberate installation of drivers known to have vulnerabilities on a target machine, which can then be exploited to obtain kernel-level access. This method is particularly dangerous because it often leverages third-party drivers, such as those from antivirus software or hardware components, which inherently require high privileges.

The AFD.sys driver, installed by default on all Windows devices, made this specific vulnerability particularly critical. Unlike other BYOVD attacks, Lazarus did not need to install an outdated or easily detectable driver, as AFD.sys is universally present and essential to the system's operation.

Lazarus has a history of exploiting similar vulnerabilities, previously abusing the Windows appid.sys and Dell dbutil_2_3.sys drivers to install the FUDModule rootkit in other attacks.

Background on Lazarus Group

While Gen Digital has not disclosed specific details about the targets or timing of these attacks, the Lazarus group is well-known for targeting financial institutions and cryptocurrency firms in high-stakes cyber heists. These operations are believed to fund North Korea's government programs, including its weapons and cyber capabilities.

Lazarus first gained global attention after the 2014 Sony Pictures hack and the 2017 WannaCry ransomware campaign, which crippled businesses worldwide. More recently, in April 2022, the group was linked to a cyber-attack on Axie Infinity, resulting in the theft of over $617 million in cryptocurrency.

In response to their continued threat, the U.S. government has offered a reward of up to $5 million for information that could lead to the identification or location of members involved in these malicious activities.

All Posts

Let's talk

We’re here to help! Submit your information or call the office on +44 (0)1243 670 854 and a member of our team would be happy to help.

Who are Cybaverse?
How can we support your business?
Why work with us?